https://community.isc2.org/t5/Tech-Talk/TPRM-fiasco/m-p/17821#M792 <P>Good day all!!</P><P>&nbsp;</P><P>Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset&nbsp; of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.</P><P>&nbsp;</P><P>Third party service provider not ready to provide the required service</P><P>Moving to another service provider will incur huge cost&nbsp; to the org</P><P>Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business</P><P>&nbsp;</P><P>what is the best course of action?</P><P>&nbsp;</P> Fri, 11 Jan 2019 09:00:20 GMT iluom 2019-01-11T09:00:20Z https://community.isc2.org/t5/Tech-Talk/TPRM-fiasco/m-p/17821#M792 <P>Good day all!!</P><P>&nbsp;</P><P>Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset&nbsp; of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.</P><P>&nbsp;</P><P>Third party service provider not ready to provide the required service</P><P>Moving to another service provider will incur huge cost&nbsp; to the org</P><P>Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business</P><P>&nbsp;</P><P>what is the best course of action?</P><P>&nbsp;</P> Fri, 11 Jan 2019 09:00:20 GMT https://community.isc2.org/t5/Tech-Talk/TPRM-fiasco/m-p/17821#M792 iluom 2019-01-11T09:00:20Z https://community.isc2.org/t5/Tech-Talk/TPRM-fiasco/m-p/17831#M794 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/637665353">@iluom</a>&nbsp;wrote:<BR /><P>Good day all!!</P><P>&nbsp;</P><P>Consider the situation - a third party that has been providing services for many years has revealed (during a review) that they do not provide encryption services (as per the customer requirements) as it's not viable for them financially. At the onset&nbsp; of the business relationship this was not the practice and it was ignored for some years and over time due to some regulations it has come up with high priority.</P><P>&nbsp;</P><P>Third party service provider not ready to provide the required service</P><P>Moving to another service provider will incur huge cost&nbsp; to the org</P><P>Encryption service is necessary for the compliance otherwise a huge fines and great danger to the business</P><P>&nbsp;</P><P>what is the best course of action?</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Document each course of action. Then do simple math to attempt to figure out best course of action.</P><P>Option 1) Do nothing. Yes this is always an option that most people forget about. Risk = Huge fines, breach of data, damage to corporate reputation, etc.</P><P>Option 2) Fire the current 3rd party and replace with new. Document the replacement cost vs current cost + fines</P><P>Option 3) Pay current vendor to remedy situation. Figure out cost to "upgrade" the service. Compare against costs of option #1.</P><P>Option 4) Can the service be brought in house? Figure out the costs and compare against all other options.</P> Fri, 11 Jan 2019 15:58:50 GMT https://community.isc2.org/t5/Tech-Talk/TPRM-fiasco/m-p/17831#M794 CISOScott 2019-01-11T15:58:50Z